The present invention relates to apparatuses and methods enabling judgement whether unauthorized access to a component has taken place, in dependence on whether a measurement regarding circuit structures provides an expected result.
Nowadays, protective seals or copy protection systems exist in many variations and for different fields of application. However, this rarely prevents copying or cloning of electronic products, since breaking a seal or bypassing a copy protection can mostly only be proven visually and locally. Additionally, deactivation of the functionality of the product after breaking of a seal is mostly not realized or can easily be bypassed by reverse engineering measures.
Due to their application specific optimization, frequently at the suspense of protection mechanisms, embedded systems are susceptible to product piracy, where the product is copied without much effort or even reproduced one-to-one. In a product teardown, a product counterfeiter will disassemble the system bit by bit into its individual parts and identify the used parts and will then perform system analysis and reproduce a circuit having the same or equivalent parts. The necessitated firmware can be read out from the original and imported in the reproduction, as described in [6] and [2]. The firmware is the actual core element of the system. The same brings the product to life and, thus, normally includes most of the know-how. Thus, protecting the firmware is frequently given priority.
Known protection mechanisms try, for example, to prevent product teardown by removing labelings and inscriptions on the used individual parts, for example by removing the same by laser or by casting the circuit with opaque epoxide resin, polyurethane resin or silicon rubber as described in [8]. However, this measure can easily be bypassed by lifting off the casting compound by chemical processes. If an attacker has an x-ray device at his disposal, he can read out chip inscriptions through the casting compound and the chip housing as described in [2].
A further known protection method is the shielding technology as described, among others, in [2] and [9]. Here, a grid of conductive traces is spanned directly across an area of a circuit or a component worth protecting. Severing the grid is detected by the underlying circuit, whereby the application is deactivated by deliberately destroying the firmware as described in [4], [1] and [3]. A serious problem with this procedure is that the protective device necessitates energy supply. In the absence of any energy supply, the detection mechanism is inactive and the application cannot be deactivated. A first remedy is provided by the usage of cryptographic keys from the resistances as known from [10]. However, the grid can be removed or bridged in order to gain direct access to the system as described, for example, in [7]. Additionally, ohmic resistances can basically also be readout or measured easily, respective protective circuits can be removed and replaced by other resistors of identical values, which reduces the effect of the protective circuit.
Nowadays, simple password queries, trusted platform modules, security components, so-called secure elements or dongle solutions are used for impeding the step of system analysis. This realizes linkage of the firmware to a hardware anchor and makes an exact one-to-one copy of this system more difficult. These measures can increase the protection but cannot completely prevent manipulation of the system, since security queries in the firmware can be manipulated or skipped, interfaces to the components to be protected are not sufficiently secured or software emulators simulate the presence of a dongle, as described in [2].
Further known protection mechanisms for embedded systems are physical unclonable functions, PUFs, described in [5]. The idea behind this mechanism is the protection of hardware and software by measuring and digitally evaluating production tolerances, which are subsequently used as identification numbers and/or cryptographic keys. This information is unique for each component and cannot be copied or reproduced, wherein PUFs can be optically or electrically evaluated and verified. Manipulation protection is given by PUFs in that the physical characteristics change with an attack in a tuned system, for example when opening an IC, and thus distort the extracted information.
Currently, however, the usage of electronic PUFs is mostly limited to IC components and not the whole printed circuit board. The same are deposited directly onto the chip before the same is finally packaged into a housing. Thus, the production costs are often quite high, since the automated CMOS processes have to be interfered with. Systems already within use or individual microcontrollers can often only be upgraded or refitted by a redesign of the overall system with these security features which enormously increases the costs for their application.
Further potential security gaps when using microcontrollers occur due to their debugging and programming interfaces via which the firmware can be read out and manipulated. This is particularly problematic in systems using external memory modules for storing the firmware. By using reworking solder equipment, these memory modules can be soldered out and read out with a Flash programming device.
These solutions for protecting embedded systems offer individual and isolated measures such as manipulation detection in the form of shielding or copy protection in the form of binding the firmware to the hardware anchor. A solution in the direction of a combination of manipulation detection and copy protection is the usage of PUFs. However, PUFs act only passively in response to manipulations since merely the unique information is lost. Additionally, they are inflexible and cost intensive to produce.